The rise in data security breaches and trade secret piracy over the past year is a wake-up call for executives – network security is not enough for finance companies. Incredibly, one-in-400 messages leaving a company contains confidential data and one-in-50 files on open share (a folder where anyone on the network can add, delete or change files, without needing a username and password) is exposed.
I believe that the threat poised internally is just as great as that evident at the perimeter.
Spear phishing threat
Over the last few years we have seen an increasing number of internal network threats in the financial services industry. These range from specific ‘spear phishing attacks’, disgruntled employees, or mismanagement in a ‘get the job done’ approach, right down to intellectual property going out on a device attached to the company’s network.
Spear phishing attacks are particularly prevalent within the industry. Spear phishers send e-mails that appear genuine to employees or members within the company, organisation, or group. The message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources, or the person who manages the computer systems. It could include requests for user names or passwords.
The truth is that the e-mail sender information has been faked or ‘spoofed’. Whereas traditional phishing scams are designed to steal information from individuals, spear phishing scams work to gain access to the company’s entire computer system. Any employee that responds with a user name or password, or clicks links, or opens attachments in a spear phishing e-mail, pop-up window, or website risks becoming a victim of identity theft which puts them and the company at risk.
Internal staff still believe that the use of the corporate network and company data is theirs to use indiscriminately. Of course, organisations need to allow employees the flexibility to enjoy their roles, but with access control monitor and blocking of the company data. It’s important to remember that this is the responsibility of the organisation itself – not everybody has the company in their best interests.
Let’s look at data and how you can protect it in more detail.
Data in motion
A finance organisation needs more than network security and access control to guard its confidential data. Client lists, policy and account details are particularly sensitive. The organisation must protect the data itself. A good start would be to look at the three key elements of data visibility and control – namely:
- Where is your confidential data?
- Where is the data going?
- What do you do once you find exposed confidential data?
With encryption visibility and control you will know exactly where your confidential data is going. I have worked with many finance organisations to help them deal with this problem. I always recommend secure messaging integration to provide encryption visibility and control in four areas:
- Monitor and prevent information sent over encrypted email and web channels;
- Automate and enforce policies for information that must be sent encrypted;
- Detect unauthorised use of desktop encryption;
- Safeguard employee privacy. You must comply with international monitoring and prevention by protecting the privacy of your employees.
Financial services organisations need to reduce the frequency and severity of both inadvertent and malicious data loss incidents to protect brand and reputation, safeguard customer data, protect intellectual property, and demonstrate compliance.
IT security is evolving and solutions are becoming much more sophisticated. To manage data at rest, choose a solution that discovers exposed customer data, including account information, credit card, or social security numbers residing on shared file servers, web servers, and desktops. Make sure the solution automatically quarantines or deletes this information. Just as importantly, however, is the prevention of customer data leaving the network. For example, when an employee planning to work at home attempts to send a customer data file to their Yahoo mail account. Make sure you can block the transmission, unless the individual is authorised to do so.
Remember, data is your property. It is your responsibility to protect it and manage it well.